GDPR and Google Analytics

There's a lot written and spoken about GDPR over the last few months, and I guess it will continue in the future. More and more new interpretations are on the net, the panic is everywhere since the Regulation is on. Let not forget, however, that there is currently a Personal Data Protection Act, which primarily regulates the same relationships in an offline environment as the Regulation. As far as the online environment is concerned, in most cases, the important issues for me related to collecting data on our users' behaviour are avoided. To a large extent, these issues will not be long-lasting, since they are also part of the ePrivacy Regulation, which will be under discussion for a long time. However, after May 25, 2018, we will continue to use Google Analytics on our sites and collect and generate reports. How GDPR and Google Analytics will work together?

What is Google Analytics and how it is work?

Search the web, and you'll find many great articles showing how useful Google Analytics can be for your business. In Bulgaria, almost all sites have Google Analytics installed as a web analytics tool.

The Absolute Beginner’s Guide to Google Analytics – https://moz.com/blog/absolute-beginners-guide-to-google-analytics

First steps with Google Analytics - https://support.google.com/analytics/answer/1008015?hl=bg

9 Awesome Things You Can Do With Google Analytics 5 – https://blog.kissmetrics.com/awesome-google-analytics/

Generally, Google Analytics lets you track and collect visitor information on your website by installing JavaScript code on your web pages. Using its servers, Google Analytics then processes this information for you, which means you get downloadable reports detailing how visitors use your website. For example, you can find out which pages visitors have found, which pages they visit most often, and how long they stay on your site, what kind of devices they use, demographics, and so on. More advanced users can generate customized content performance reports by setting goals. All that information give valuable insight to website users' behaviour.

How GDPR will affect usage of Google Analytics?

In short, this is related to the fact that when you use Google Analytics, you and Google share personal data - these are data that relate to a particular data subject. Under the current local law, some of these data are not protected, but GDPR changes this.

Regarding the Regulation, it is essential to clarify the following: You are a data controller, and Google is a data processor.

The Data Protection Regulation entered into force on 25 May 2018 and aimed greater protection to the personal data of subjects (individuals) in the EU, based on the way technology is advanced, and we all use it. Under the new and broader definitions of GDPR, personal data is any information that can identify a person with "all means that are reasonably likely to be used", including considering how a person could be identified, if you combine unrelated sets of data you hold. So it still includes information, such as someone's name and address, but will now include online identifiers, including IP addresses, cookie identifiers, and aliased data. A pseudonymization as defined by the Commission for Personal Data Protection (which is Bulgarian institution) is a privacy technique in which personal data is processed in a way that prevents the individual from being identified without the use of additional information to be kept separate from those data, under the protection of technical and organisational measures.

If:

  • you have an online store that operates in the EU and therefore process data of EU citizens either

  • monitor the behavior of users on your website

then GDPR apply to you.

It means you have to comply with the GDPR requirements, but you also have to be able to provide proof that you are doing so..

So what's in common between GDPR and Google Analytics?

The purpose of using Google Analytics is to allow Google to share data you have collected so that it can ultimately generate the reports you need. Under current data protection legislation, at least some of the data used as part of Google Analytics is probably not personal data, but the broader definitions of GDPR, as mentioned, mean that it will be.

The issue is also complicated because you will need to look at both aspects:

  • you allow Google to access users' data

  • use Google data in the reports produced by Google Analytics.

For example, you could collect and allow Google access to:

  • email addresses if they are part of the login process on your website or

  • usernames in the URLs of the pages you collect because the username is part of the URL (for example, https://www.site.com/user/johnsmith)

From Google data, you can have the ability to identify an individual by "any means that are reasonably likely to be used", considering how a person can be identified, for example by including an IP address.

Learn more about how to track logged-on users of your site > developers.google.com/analytics

Do not forget the client-specific pages

Just because the content is only available to users who have logged in to your website (for example, as a member of the site) does not mean that the collected personal data is exempt from the GDPR requirements.

It would help if you had a legal basis for processing (using, collecting, etc.) data, and you and your business can be one of many that rely on the individual's consent. For example, it seems quite easy to get someone to agree that you can use their data for your purposes. Unfortunately, with GDPR, the question of consent is much more complicated. The Regulation clearly states that the data you collect should be as little as possible and have reason to collect them. For example, if you are an online shop to buy a product and deliver it to me, you need names, phone and address, possibly email, if registration is required and there is no quick order on your site. What data do we get from Analytics reports?

Does Google meet GDPR requirements?

Google is committed to complying with GDPR and, for example, as Google tells us Internet users may have the option of "installing the Google Analytics exclusion browser add-on". The problem is that this does not mean that your responsibility is somehow transferred to Google or someone else on this matter.

The official extension used to opt out of Google Analytics is the easiest way to opt out and should always work even when Google makes changes to its services. However, there are several shortcomings of the extension. The extension must be installed on your computer. Installing software to stop other software from tracking your activities seems a little counterproductive. Google, using an extension instead of the usual cookie opt-out methods, has the advantage that the opt-out option is more permanent and will not stop working when you clear your cookies. On the other hand, the extension does not prevent Google from knowing which websites you are visiting. The extension works by blocking the sending of events to Google Analytics, but JavaScript from Google Analytics is still extracted from Google's servers.

If you want your data to be saved and be not tracked to a site, you can install the add-on from here.

If you look closely at Google's own terms and conditions (which you accept when installing Google Analytics), it is clearly stated that YOU are "solely responsible" when using Google Analytics and you are responsible for

  • ensuring that there will be no "personal identifying information" (i.e. something that can identify a person) between you and Google, and

  • having a legitimate privacy policy.

So, using data that could identify a person may mean a violation of the GDPR and your consent to Google Analytics. It means that not only the Commission for Personal Data Protection (the body that will monitor compliance with GDPR in Bulgaria) could fine you, but you are also likely to be unable to use Google Analytics anymore because Google will terminate your agreement.

An infographic of the European Commission /see it in English/

What to do if you want to continue using Google Analytics?

(1) Get to know the data you store

Many businesses store data, but some of these data are never used, so frequent data cleaning is always a good idea, especially in the context of GDPR. Remember, you only need to store data for as long as it is reasonable.

  • Be aware of what data you hold and how you will process (use, store, etc.).

  • Then look at what information you need to collect and use, and how long you need them.

Do you have a legal basis for processing? If not, there is time to fix things. For example, if you rely on someone's consent to use their data, please make sure you agree to GDPR compliance. Otherwise, you may not legally use this data after May 25, 2018.

Once you've done this, make sure you permanently delete everything you do not need or cannot justify why you store it.

It may seem like it will take time, but in the end, you will be ready and compatible with the GDPR, especially if you repeat it regularly.

(2) Check your Privacy policies and Terms of use

Google requires you to have a clear and GDPR-compliant privacy statement. Do not be the one who sits there at 23:00 on May 24, trying to write or find ones.

Considering that you are also responsible for the compliance of your organisation, consider implementing a complete data protection policy (defining how your business will perform its data protection obligations) with appropriate training - in-house or proper for your company so that everyone to be aware of the organisation's responsibilities and what they need to meet. In my opinion, it's time to determine the official employee who will be responsible for processing the data, collected through Google.

My advice for every business is to do at least ONE consultation with a lawyer regarding the specific aspects of their business and drafting Terms of Service, Cookies Policy/ Privacy Policy, and Method of their destruction.

(3) Clearly explain how you will use Google Analytics data

Make sure you have a definite limit, so you do not share inadvertently any "personally identifiable information".

If someone else has access to your Google Analytics accounts (for example, if an agency or a freelancer helps you analyse your website), be clear about the ownership and responsibility of your account, and control who has access; clarify what they can (and can not) do. Remove all permissions unless strictly necessary. For example, You have worked with a freelancer, and you are now working with an agency. The freelancer's access has to be stopped unless you continue to work with them. Be careful with whom you are providing a Google Analytics email and password.

If you do not need to process personal data in Google Analytics, you can anonymise IP addresses. For more information on how to do this, read on: https://support.google.com/analytics/answer/2763052?hl=en#

(4) Compliance with data transfer

Google is a US company, and although there are some servers positioned in the European Economic Area, there is still a chance of some data transfer outside of it. Because Google will be your data processor, it means you have to check if Google is GDPR-compliant for transferring data outside the EEC. Google is currently relying on EU and US privacy protection, but it is still a dynamic environment, and things are changing. Since it is your responsibility, have a simple process that shows that you regularly check that Google adheres to GDPR so you can prove that you are following your obligations.

How to check the security of your Google Account: https://myaccount.google.com/security-checkup

Last week /23.03.2018/ I received an official email. Google has announced their new user consent policy, which will take effect on 25.05.2018 and are in compliance with the GDPR. You should be aware if you have not yet accepted the conditions that you must visit your Google Analytics account to do so.

(5) Remember the rights of data subjects

Finally, according to GDPR, data subjects will have much more control over their data. If you want to continue using analytics tools and are concerned that some personal information (such as IPs) may be used, the most reasonable way is to make sure that users on your website

  • know that you are using Google Analytics and understand how it works and how their data are used;

  • to give their explicit consent their data to be proceed by Google Analytics;

  • may change their minds about consent and give up easily and at any time

According to the Interpretation of the Commission for Personal Data Protection and concerning GDPR:
"Consent is one of the alternative grounds for lawful processing of personal data. If the controller decides to process the data on this basis, it should be able to demonstrate that the consent is:
· Freely expressed - not under pressure or threat of adverse effects (e.g. higher cost of service);
· Specifically - separate agreement for each specific purpose and, where relevant, for a particular category of personal data;
· Informed - given by complete, accurate and easily understandable information;
· Unambiguously - not inferred or implied by other statements or actions of the individual;
· Given with actual effect: by explicit statement or clear confirmation action, incl. online. The silence of the person or pre-checked boxes for consent cannot be accepted as a valid consent. "

You can read more from the Practical Issues of Personal Data Protection on the Commission for Personal Data Protection website https://www.cpdp.bg/?p=element&aid=1115

Useful links with GDPR for business:

EU Guidelines for GDPR Implementation: https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en

Rules for companies and organizations: https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations_en

What is a breach of data security and what should be done in the event of a data security breach? https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/obligations/what-data-breach-and-what-do-we-have-do-case-data-breach_bg

Proposal for a e-Privacy Regulation https://ec.europa.eu/digital-single-market/en/proposal-eprivacy-regulation

Guide to the General Data Protection Regulation (GDPR) published by ICO. / the body responsible for the protection of personal data in the EU/ https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/consent/

Data Protection - Better Rules for Small Business / Infographics / https://ec.europa.eu/justice/smedataprotect/index_en.htm

See our services - we are up to you to help your business grow.

Subscribe for our newsletter

If you want to receive more useful material directly in your mail, you can subscribe to our email newsletter.

We send it only ONCE a month. 🙂